Now you can run John against the hash or we could just copy pirrips and overwrite the root password, which is what I did in this example
Lets see if it works
Thursday, April 7, 2011
Step 5 - Escalation
Now that were on our target we need to escalate to root privileges. First step was to edit that shadow file
Now you can run John against the hash or we could just copy pirrips and overwrite the root password, which is what I did in this example
Lets see if it works
Now you can run John against the hash or we could just copy pirrips and overwrite the root password, which is what I did in this example
Lets see if it works
Step 4 - Penetration
We successfully logged in using pirrips private/public rsa keys. Lets take a look at the /etc/passwd file for fun
Notice that Pirrip is in a different group from magwitch and havisham. From here I was stuck for a little while. I tried unsuccessfully to download the /etc/shadow file using ssh.
So I decided to start looking around the box and see if there are any interesting directories or files. I ended up looking at the /var/mail directory
Hmm email. Maybe theres some good stuff in there...
Hey check that out, theres pirrips password!
Notice that Pirrip is in a different group from magwitch and havisham. From here I was stuck for a little while. I tried unsuccessfully to download the /etc/shadow file using ssh.
So I decided to start looking around the box and see if there are any interesting directories or files. I ended up looking at the /var/mail directory
Hmm email. Maybe theres some good stuff in there...
Hey check that out, theres pirrips password!
Step 3 - Enumeration continued
I didnt know you had to manually do this but Nikto wouldnt scan the users directories on its own, I had to manually specify this using the -r switch
Nothing too interesting right there, lets move onto the next user
Look at that! Pirrip has the .ssh directory available. Lets browse to it and see what's there.
Wow, we can download the users private and public keys. Remember our Nmap results from earlier? The server is running OpenSSH which uses RSA for cryptography. RSA uses 2 keys a public and private key. If an attacker gets a hold of your private key it is very very bad. They can assume your identity and login without needing to supply your password. Lets grab those RSA keys.
I downloaded both keys and put them in my home /.ssh directory We need to chmod the files so they have the correct permissions
Now lets try to login using pirrips keys
Nothing too interesting right there, lets move onto the next user
Look at that! Pirrip has the .ssh directory available. Lets browse to it and see what's there.
Wow, we can download the users private and public keys. Remember our Nmap results from earlier? The server is running OpenSSH which uses RSA for cryptography. RSA uses 2 keys a public and private key. If an attacker gets a hold of your private key it is very very bad. They can assume your identity and login without needing to supply your password. Lets grab those RSA keys.
I downloaded both keys and put them in my home /.ssh directory We need to chmod the files so they have the correct permissions
Now lets try to login using pirrips keys
Step 3 - Enumeration
Now that we know there are some web servers running and other services lets see what we can find out about them.
We can use wget to download that page to our box so we can extract some of those email addresses.
Lets cut that file so we only show user id's
Great! Now we have user ID's we can test with. I also ran Nikto against this host to see what we could find out.
Nikto shows that this server might be susceptible to directory indexing. I used Dirbuster to see what I could find out.
Dirbuster didn't return anything interesting when I scanned the .100 target. But look what it showed on the .101 box
It looks like our UserID list we made earlier wasn't entirely accurate. I edited it down to only inlcude the names found in the dirbuster report - pirrip, havisham, magwitch
I tried browsing the ~pirrip directory on the web server but there were no files found
We can use wget to download that page to our box so we can extract some of those email addresses.
Lets cut that file so we only show user id's
Great! Now we have user ID's we can test with. I also ran Nikto against this host to see what we could find out.
Nikto shows that this server might be susceptible to directory indexing. I used Dirbuster to see what I could find out.
Dirbuster didn't return anything interesting when I scanned the .100 target. But look what it showed on the .101 box
It looks like our UserID list we made earlier wasn't entirely accurate. I edited it down to only inlcude the names found in the dirbuster report - pirrip, havisham, magwitch
I tried browsing the ~pirrip directory on the web server but there were no files found
Step 2 - Scanning
Lets take a closer look at the .100 and the .101 boxes
I forgot to take a screen capture of the .101 box but it was running apache on port 80
I forgot to take a screen capture of the .101 box but it was running apache on port 80
Step 1 - Footprinting
Lets get started, the scenario just said that we are looking for boxes in the 192.168.2.X range. Lets run nmap and see what hosts pop up
As you can see we 3 hosts identified. I already know the .154 is my box so we should take a look at the .100 and the .101 boxes
As you can see we 3 hosts identified. I already know the .154 is my box so we should take a look at the .100 and the .101 boxes
De-Ice level 2
Now that I finished up the level 1 cd I decided to try the level 2 image. Heres the scenario for this one
Ill be using VMWare again to host my attacking box and the vulnerable image
SCENARIO
The scenario for this LiveCD is that you have been given an assignment to test a company's 192.168.2.xxx network to identify any vulnerabilities or exploits. The systems within this network are not critical systems and recent backups have been created and tested, so any damage you might cause is of little concern. The organization has had multiple system administrators manage the network over the last couple of years, and they are unsure of the competency previous (or current) staff2
Ill be using VMWare again to host my attacking box and the vulnerable image
Subscribe to:
Posts (Atom)